Server Administrator Roles in MDM
10/3/2008
System Center Mobile Device Manager (MDM) uses role-based access control. Unlike an authentication system that specifies who a user is, role-based access is an authorization system that specifies what a user is authorized to access and what tasks that person can perform.
The following shows the Administrator Roles:
- DeviceAdministrators
- DeviceSupport
- HelpdeskOperator
- ServerAdministrators
The following shows the tasks that each administrator role gives users.
The following shows the tasks that a user who has the DeviceAdministrators role can perform.
| Task | Cmdlet |
|---|---|
Remove a wipe request for the specified managed Windows Mobile powered device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
Add a compromised managed Windows Mobile powered device to the blocked device table. |
Add-BlockedDevice |
Configure the properties of the wipe service. |
Set-WipeConfig |
Create a new device inventory collection task. |
New-MDMInventoryItem |
Create a new managed device enrollment request. |
New-EnrollmentRequest |
Create a new wipe request that deletes all content on the targeted managed device. |
New-WipeRequest |
Remove a managed device from the Blocked Device Table. |
Remove-BlockedDevice |
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
Remove operational log entries from the Enrollment service database. |
Remove-EnrollmentServiceLog |
Remove the specified device inventory collection task from the task list on the server. |
Remove-MDMInventoryItem |
Resume all device inventory collection tasks that were suspended by using the Disable-MDMInventory cmdlet. |
Enable-MDMInventory |
Return information about devices that MDM manages. |
Get-MDMDevice |
Return information about the current set of managed blocked devices. |
Get-BlockedDevice |
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
Return the collection of servers in MDM. |
Get-MDMServer |
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
Return the current configuration of the wipe service. |
Get-WipeConfig |
Return the current global device management configuration. |
Get-DeviceManagementConfig |
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
Return the global virtual private network (VPN) settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
Set all device inventory collection settings to their default values. |
Restore-MDMInventoryDefaults |
Set the collection frequency for a device inventory collection item. |
Set-MDMInventoryItem |
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
Set the configuration of MDM software distribution service. |
Set-SoftwareDistributionConfig |
Set the configuration of the Group Policy service. |
Set-MobilePolicyServiceConfig |
Set the global device management configuration values. |
Set-DeviceManagementConfig |
Suspend all currently active device inventory collection tasks. |
Disable-MDMInventory |
Update the current configuration of the Enrollment service by using the provided values. |
Set-EnrollmentConfig |
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
Set-MDMGlobalGatewayConfig |
Update the Resultant Set of Policy (RSoP) held by the server for a given device. |
Update-MobilePolicyCalculation |
The following shows the tasks that a user who has the DeviceSupport role can perform.
| Task | Cmdlet |
|---|---|
Remove a wipe request for the specified managed Windows Mobile powered device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
Add a compromised managed device to the blocked device table. |
Add-BlockedDevice |
Create a new managed device enrollment request. |
New-EnrollmentRequest |
Create a new wipe request that deletes all content on the targeted managed device. |
New-WipeRequest |
Remove a managed device from the Blocked Device Table. |
Remove-BlockedDevice |
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
Return information about devices that MDM manages. |
Get-MDMDevice |
Return information about the current set of managed devices that are blocked |
Get-BlockedDevice |
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
Return the collection of servers in MDM. |
Get-MDMServer |
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
Return the current configuration of the wipe service. |
Get-WipeConfig |
Return the current gateway-specific settings and the last known configuration status. |
Get-MDMGatewayServer |
Return the current global device management configuration. |
Get-DeviceManagementConfig |
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
Update the RSoP held by the server for a given device. |
Update-MobilePolicyCalculation |
The following shows the tasks that a user who has the HelpDeskOperator role can perform.
| Task | Cmdlet |
|---|---|
Create a new managed device enrollment request. |
New-EnrollmentRequest |
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
Return information about devices that MDM manages. |
Get-MDMDevice |
Return information about the current set of managed devices that are blocked. |
Get-BlockedDevice |
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
Return the collection of servers in MDM. |
Get-MDMServer |
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
Return the current configuration of the wipe service. |
Get-WipeConfig |
Return the current gateway-specific settings and the last known configuration status. |
Get-MDMGatewayServer |
Return the current global device management configuration. |
Get-DeviceManagementConfig |
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
Update the RSoP held by the server for a given device. |
Update-MobilePolicyCalculation |
The following shows the tasks that a user who has the ServerAdministrators role can perform.
| Task | Cmdlet |
|---|---|
Add a new computer that is running MDM Gateway Server to MDM. |
Add-MDMGatewayServer |
Configure the properties of the wipe service. |
Set-WipeConfig |
Disable Windows Preprocessor (WPP) logging for one or more components. .gif "Cc135605.note(en-us,TechNet.10).gif") Note:
A user who has local administrator privileges can perform this task locally on the server. A user who has the ServerAdministrators role can use the cmdlet with the appropriate parameters to perform this task remotely, or on the local server, without requiring local administrative credentials.
|
Disable-MDMTrace |
Enable WPP logging for one or more components. Note:
A user who has local administrator privileges can perform this task locally on the server. A user who has the ServerAdministrators role can use the cmdlet with the appropriate parameters to perform this task remotely, or on the local server, without requiring local administrative credentials.
|
Enable-MDMTrace |
Remove MDM Gateway Server and all corresponding properties from MDM. |
Remove-MDMGatewayServer |
Return information about devices that MDM manages. |
Get-MDMDevice |
Return information about the current set of managed devices that are blocked. |
Get-BlockedDevice |
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
Return the collection of servers in MDM. |
Get-MDMServer |
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
Return the current configuration of the wipe service. |
Get-WipeConfig |
Return the current gateway-specific settings and the last known configuration status. |
Get-MDMGatewayServer |
Return the current global device management configuration. |
Get-DeviceManagementConfig |
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
Set the configuration of the Group Policy service. |
Set-MobilePolicyServiceConfig |
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
Set the configuration of MDM software distribution service. |
Set-SoftwareDistributionConfig |
Set the global device management configuration values. |
Set-DeviceManagementConfig |
Start the VPN service on the specified MDM Gateway Server. |
Start-MDMVPNService |
Stop the VPN service on the specified MDM Gateway Server. |
Stop-MDMVPNService |
Update the current configuration of the Enrollment service by using the provided values. |
Set-EnrollmentConfig |
Update the current settings for the specified MDM Gateway Server. |
Set-MDMGatewayServer |
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
Set-MDMGlobalGatewayConfig |
Update the RSoP held by the server for a given device. |
Update-MobilePolicyCalculation |
The following shows the tasks that each role can perform.
| Task | Cmdlet | Required Admin Role |
|---|---|---|
Add a compromised managed device to the blocked device table. |
Add-BlockedDevice |
DeviceAdministrators DeviceSupport |
Add a new computer that is running MDM Gateway Server to MDM. |
Add-MDMGatewayServer |
ServerAdministrators |
Suspend all currently active device inventory collection tasks. |
Disable-MDMInventory |
DeviceAdministrators |
Disable WPP logging for one or more components. |
Disable-MDMTrace |
ServerAdministrators or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges. |
Resume all device inventory collection tasks that were suspended with the Disable-MDMInventory cmdlet. |
Enable-MDMInventory |
DeviceAdministrators |
Enable WPP logging for one or more components. |
Enable-MDMTrace |
ServerAdministrators role, or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges. |
Return information about the current set of managed devices that are blocked. |
Get-BlockedDevice |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the current global device management configuration. |
Get-DeviceManagementConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return information about managed devices that controls. |
Get-MDMDevice |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the current gateway-specific settings and the last known configuration status. |
Get-MDMGatewayServer |
ServerAdministrators DeviceSupport HelpdeskOperator |
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the collection of servers in MDM. |
Get-MDMServer |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the current configuration of the wipe service. |
Get-WipeConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
Create a new managed device enrollment request. |
New-EnrollmentRequest |
DeviceAdministrators DeviceSupport HelpdeskOperator |
Create a new device inventory collection task. |
New-MDMInventoryItem |
DeviceAdministrators |
Create a new wipe request that deletes all content on the targeted managed device. |
New-WipeRequest |
DeviceAdministrators DeviceSupport |
Remove a managed device from the Blocked Device Table. |
Remove-BlockedDevice |
DeviceAdministrators DeviceSupport |
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
DeviceAdministrators DeviceSupport HelpdeskOperator |
Remove operational log entries from the Enrollment service database. |
Remove-EnrollmentServiceLog |
DeviceAdministrators |
Remove MDM Gateway Server and all corresponding properties from MDM. |
Remove-MDMGatewayServer |
ServerAdministrators |
Remove the specified device inventory collection task from the task list on the server. |
Remove-MDMInventoryItem |
DeviceAdministrators |
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
DeviceAdministrators DeviceSupport |
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
DeviceAdministrators DeviceSupport |
Set all device inventory collection settings to their default values. |
Restore-MDMInventoryDefaults |
DeviceAdministrators |
Set the global device management configuration values. |
Set-DeviceManagementConfig |
ServerAdministrators DeviceAdministrators |
Update the current configuration of the Enrollment service by using the provided values. |
Set-EnrollmentConfig |
ServerAdministrators DeviceAdministrators |
Update the current settings for the specified MDM Gateway Server. |
Set-MDMGatewayServer |
ServerAdministrators |
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
Set-MDMGlobalGatewayConfig |
ServerAdministrators DeviceAdministrators |
Set the collection frequency for a device inventory collection item. |
Set-MDMInventoryItem |
DeviceAdministrators |
Set the configuration of the Group Policy service. |
Set-MobilePolicyServiceConfig |
ServerAdministrators DeviceAdministrators |
Set the configuration of MDM software distribution service. |
Set-SoftwareDistributionConfig |
ServerAdministrators DeviceAdministrators |
Configure the properties of the wipe service. |
Set-WipeConfig |
ServerAdministrators DeviceAdministrators |
Start the VPN service on the specified MDM Gateway Server. |
Start-MDMVPNService |
ServerAdministrators |
Stop the VPN service on the specified MDM Gateway Server. |
Stop-MDMVPNService |
ServerAdministrators |
Update the RSoP held by the server for a given device. |
Update-MobilePolicyCalculation |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |